The fight against ransomware is happening on many different fronts and while some ransomware gangs are making rather large piles of money, law enforcement and security researchers have had their successes, as well. The takedowns of some ransomware-adjacent botnets and arrests of some ransomware operators have forced criminals to adjust their tactics and techniques, which in turn has made life more difficult for the researchers and investigators who track them.
The most disruptive change that ransomware gangs have made recently is the shift away from vertical integration and to specialization and diversification. In the early days of the ransomware epidemic, the people who developed ransomware were usually the same one who gained access to victim networks and then deployed the ransomware. That model works pretty well for criminals who have a broad skill set, but for those who just want to make some easy money without actually learning how to do the thing that produces that money, it’s a little daunting. Enter the ransomware-as-a-service model, a model that divides the various tasks in the ransomware creation, infection, deployment, and payment ecosystem among people with the specific skills necessary to accomplish them. In this system, ransomware developers write the malware and them farm it out to affiliates who then deploy it and split any resultant profits with the developers.
RaaS is now the dominant model among ransomware gangs and it has proven to be extremely profitable for many of them. It has also had the effect of giving law enforcement fits.
“Specialization has made investigation more difficult because you're not just looking at one criminal group, you’re looking for several. It has made investigations more complex,” said Marijn Schuurbiers, deputy head of the Dutch High Tech Crime Unit, during a panel discussion on ransomware Monday sponsored by the No More Ransom initiative.
“The market has gotten more efficient. People specialize in coding one thing really good and leave the rest to other people.”
Perhaps the most prominent example of RaaS is the Russia-based REvil group, which is responsible for some of the nastier and more notorious ransomware infections in recent memory. The most recent ugliness attributed to REvil is the mass infection of more than 1,500 companies that use the Kaseya VSA platform earlier this month, an event that led President Joe Biden to tell Russian President Vladimir Putin that the United States “will take any necessary action to defend its people and its critical infrastructure in the face of this continuing challenge.”
Soon after the Kaseya incident, the REvil operation essentially dropped offline. But there are plenty of other RaaS operations still going strong and making considerable amounts of money.
“The groups that are still operating, they did separate duties very well. They all use what works best, like exploit kits, phishing campaigns. Everybody’s doing the thing they’re very good at,” said Catalin Cosoi, senior security strategist at Bitdefender.
“It’s unfortunately a very successful criminal business model. I don’t think we’ll see this disappear in the near future."
Disrupting RaaS operations has proven to be challenging, thanks to their decentralized nature and the ability these groups have shown to shift their infrastructure whenever necessary. One of the key methods that researchers have used to defeat RaaS operations is finding mistakes or weaknesses in the encryption schemes the ransomware employs. That works in some cases, but it’s by no means a panacea.
“We constantly have to find the Achilles heel of criminals. They will improve and evolve but there will always be an Achilles heel. Is it the encryption algorithm? That’s always a great one but there will be others,” said Schuurbiers.
On the defensive side, maintaining current, offsite backups of all key enterprise systems can be the key to recovering from a ransomware infection. But stopping the infection in the first place is just as important, and Schuurbiers said implementing two-factor authentication on high-value systems and services is quite valuable.
“We have seen incidents where as soon as they hit 2FA, they drop it and go on to the next victim. They have so many potential victims, if they see 2FA they leave. Implement 2FA on your most important data,” he said.
Ransomware began as a nuisance, evolved into an enterprise threat, and has now reached the point of being a national security concern. Given the amount of money to be made and volume of potential victims available, it’s unlikely that ransomware will drop off the map anytime soon.
“It’s unfortunately a very successful criminal business model. I don’t think we’ll see this disappear in the near future. It goes way beyond the financial damage. There’s a real risk to our lives,” said Philipp Amann, head of strategy at Europol’s EC3 cybercrime unit.